security

use uMatrix and uBlock browser plugins

To browse the web more securely you should use the browser plugins uBlock and uMatrix.

uBlock (https://www.ublock.org/) is a powerful advertisement blocker that does not allow for paid whitelisting like adblock does, you as the user remain in control over which ads you want to block. It is open source and also blocks trackers. Furthermore it is less likely to be detected by anti-ad-block mechanisms which some sites deploy to coerce you into enabling ads.

uMatrix (https://github.com/gorhill/uMatrix) is another browser plugin that can help you with your browsing experience, although is more targeted at advanced users. It effectively acts as a firewall for your browser that by default blocks cookies, scripts, plugins, css, images, frames and XHR. The user is expected to whitelist for each website which functionality it is allowed to use, which makes very fine grained control possible. It may seem annoying to use at first since you need to whitelist sites that you trust, but in my experience it is worth it.

How to remove the passphrase from a key

By using the following commands you can remove the passphrase from your key.

cp private.key private.key.org
openssl rsa -in private.key.org -out private.key

The newly created key doesn't contain a passphrase anymore.

Taggings:

Remove Passphrase from Key

One unfortunate side-effect of the passphrased private key is that you will be asked for the passphrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the passphrase, such as after a reboot or crash.

Solution on creating a CSR

The simplest way to generate a CSR in unix systems is through terminal.
First we create our private key, then create a certificate signing request.

  • Generating our key
    openssl genrsa -out keyname.key 2048
  • Creating a CSR
    openssl req -new -key keyname.key -out MyCsr.csr
  • After that, we take our CSR and submit it to a certificate authority

    Create CSR via command line

    Step 1: Generate a RSA Private Key (How to generate a RSA Private Key)

    Step 2: Generate a CSR (Certificate Signing Request)
    Type this command into your consoel:
    openssl req -new -key private.key -out certificate.csr

    Next you have to enter the pass phrase from your previously generated private key:
    Enter pass phrase for private.key:

    During the generation process of the CSR you will have to provide some information for the X.509 attributes like a Country Name, but you don't have to provide all of the asked information. If you enter '.', the field will be left blank.

    Snippet from the console output of the asked information:
    ...
    Country Name (2 letter code) [AU]: .
    State or Province Name (full name) [Some-State]: .
    Locality Name (eg, city) []: .
    ...

    After this steps your certificate has been successfully generated.

    Generate a RSA Private Key

    This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

    Create a certificate signing request (CSR)

    A certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

    How to implement a secure session management system in PHP (and generally)?

    Developers, especially unexperienced PHP developers, have a tendency to not care much care about security-related issues. This is true for the problem of secure sessions, too - and the reason why attackers of a certain website or service can easily hijack sessions to get access to data, which they should not have access to. Because HTTP is a stateless protocol, sessions are required to identify a certain client on multiple requests. In PHP this identification is done via "session IDs", which are exchanged by the client and the webserver on each request (the session ID may be stored as a Cookie, in the URL or hidden field). The server stores the session ID locally to identify a certain client if the session ID is available in a certain request. If an attacker is able to steal the session ID of a certain client, the server will "think", that the attacker is the client. As a result, the attacker will be able to do everything, the client is allowed to do. How do I implement a session management system in PHP (and generally), which is more secure and more protected against "session hijacking" attempts?

    Anti Web-blocking

    Many countries around the world like China or Iran do not provide freedom of Internet browsing. YouTube or news providing websites may be blocked by a government. In some cases like in Tunisia of before the revolution, even links to proxies are blocked. So how is it possible to get pass the walls of web-blocking ?

    Secure Web-Application

    First researches showed, that there are several standards for the range of software development (e.g. IEEE 730, 829, 830,…) particularly with the emphasis of quality management. In addition there are guidelines for IT-security (ISO 27001) or the standard according BSI. In the center of these regulations there is the demand of preserving security, but rarely a hint of the operational way how to come to it.
    Only A7700 - „requirements in terms of safety at Web applications contains “a practice-oriented approach and a complete cover of the safety requirement at Web application.
    On basis of A7700 an assignment guideline was developed, considering the internal requirements (architecture, used data bases,…), which must be added with every procurement of a Web application.
    Link: ÖNORM A 7700 (http://www.a7700.org/)

    Taggings:

    Pages

    Subscribe to security